软件安全——静态、动态程序分析技术
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
论道:软件安全
—静态、动态程序分析技术
What I expect you to know:
•Security Landscape
–Network, Host, Application
•Common vulnerability:
–SQL Injection, Cross-Site Scripting, Buffer Overflow •Basic concepts on programming, software development, penetration test
Agenda
•Common Misconceptions •Appsec Trends •Automatic Tools
–Static Analysis
–Dynamic Analysis •Practical Consideration
Secure the ATM at the last stage
Consider CSV format
Save as CSV
(Common Separated Format)
1.CSV: Why you want to filter out [,]?
2.SQL Injection: Why you want to filter out [‘]?
Consider CSV format
Save as CSV
(Common Separated Format)
It’s not about attack, it is a program bug.
No matter it is a internal program or a
webapp, this is a bug.
Fixing SQL Injection: Escaping
name Ægary sku_id Æ1234 or 1=1
After escaped, no change
name Ægary sku_id Æ1234 or 1=1 select * from item
where account = ‘$name' and sku_id = $sku_id
Static Analysis
• Analyze code without executing it • Able to contemplate many more possibilities than you could execute with conventional testing • Doesn’t know what your code is supposed to do • Must be told what to look for
Static Analysis Engines
• A common static analysis usually consists of many different engines • Different engines use different algorithm to detect different sets of problems • Common engines are
– Dataflow – Control flow – Semantic – Configuration - Structural - Statistical - Buffer - etc…
22
Data Flow
• Find vulnerabilities where non-trusted input can potentially control application operation.
– Vulnerabilities to injection attacks
• Analyzer uses global taint propagation to trace the flow of nontrusted data
– Source
• Non-trusted (user controlled) input
– Sink
• Potentially dangerous function call or operation
23
Understanding Data Flow – Sample
import java.sql.*; public class SQLInjection { public static void main (String args[]) { Connection conn = null; try { String userName = args [0]; String passwd = args [1]; String query = "select uname, passwd from users where uname like "+userName+"%"; conn = DriverManager.getConnection ("jdbc:odbc:logistics", "admin", "letmein"); Statement stmnt = conn.createStatement (); ResultSet rs = stmnt.executeQuery (query); while ( rs.next() ) { ... } rs.close (); stmnt.close (); conn.close (); } catch (SQLException err) { err.printStackTrace (); } } }
24
Data Flow (cont’d)
import java.sql.*; public class SQLInjection { public static void main (String args[]) { Connection conn = null; try { String userName = args [0]; String passwd = args [1]; String query = "select uname, passwd from users where uname like "+userName+"%"; conn = DriverManager.getConnection ("jdbc:odbc:logistics", "admin", "letmein"); Statement stmnt = conn.createStatement (); ResultSet rs = stmnt.executeQuery (query); while ( rs.next() ) { ... } rs.close (); stmnt.close (); conn.close (); } catch (SQLException err) { err.printStackTrace (); } } }
Source
25